Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp2588116pxb; Tue, 23 Feb 2021 10:26:23 -0800 (PST) X-Google-Smtp-Source: ABdhPJzjWnlh1FbDdLHcYkzcMULKF0LpAKTmwdkriTxQwbw9bWK+B0f74HiFHtpQ3AhVr41JNt4n X-Received: by 2002:a17:906:c444:: with SMTP id ck4mr27989840ejb.156.1614104783681; Tue, 23 Feb 2021 10:26:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1614104783; cv=none; d=google.com; s=arc-20160816; b=dGKepniWUzlBx63YtzY3E3D22aZwhsaYXdpI+ZHA2AiGB5EFYqJcx9rrT7isM5ChQW KRbSGa1Vr+1YYx0VeLLFLTweYj03ZoUjU0nXnhor8cSP9XjTAdBBL7djVGKfv6K7daYJ Pk9mAPVjPEP36alXjlZuwuUlWYSlQQ60Fp2rQnBEillbr90y6qw2knGHslqrS26AezZo ewcS1CHgfxeOrnaLpojf9prWvyr6FIJu2kn6dCM36y7cYwHZ3Pmj/FRfyAGU7oioQOG5 JI4su3ZrQhIcdCCp23A6iqbP8AJ9zYkciXU/oLNuPTdx5YXEbX5lrQ3SiCu1DIyc9PQA yJMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature; bh=LNGMe6Cvd1XCSfu9VVHlx9YQUG5vihvHCmqx0hhKPV0=; b=w4cs7ckZvRzCSPXVKDIvHEoEjfhAoEa2FW/zdpbHlG1OoJyzd7P4Y2+SyHc9hHPJxE Fi+VCVMg0c94ckVTgvVDHPVgJglmNjS06GEhNdLPxBl6sn7mtVyp1YuwlITPIg62Zpae KVXM9HKImfO/GAfRqSymJb0g0Z9/G+jESIlN/r72Vm5wegO1y9fZaMTy2dGZX3xPDGaN QyVTnj81DrZgEutOn5VkaK/AqpwNyL/EbXFd3xHnUnT8s668x4HxQcB6gOjP0ovWrntS 5yrdHwGKNuedNNLU+mup5mLAXzaIXMjTNaUJSU3BlHaPpS7BWKyCNZpRQDcbWQZgD0n7 bvLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=b8eXfWIk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id ov10si11330192ejb.502.2021.02.23.10.25.59; Tue, 23 Feb 2021 10:26:23 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmx.net header.s=badeba3b8450 header.b=b8eXfWIk; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gmx.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233984AbhBWSXN (ORCPT + 99 others); Tue, 23 Feb 2021 13:23:13 -0500 Received: from mout.gmx.net ([212.227.17.21]:50059 "EHLO mout.gmx.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233955AbhBWSWy (ORCPT ); Tue, 23 Feb 2021 13:22:54 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=gmx.net; s=badeba3b8450; t=1614104458; bh=LNGMe6Cvd1XCSfu9VVHlx9YQUG5vihvHCmqx0hhKPV0=; h=X-UI-Sender-Class:Date:From:To:Cc:Subject:References:In-Reply-To; b=b8eXfWIkdfI9dqA57yi3nGbosdYSBUNJDMhOcRw2GHPH+dmOh5uC1J/Hp31YZAjcV +zRAAeXdyMj0KmiFei6nCtQHfCM5Kjz0ZWIZHdOnf66PLP8B3Ebx3ej/ZKOlI4U0zF l4jmOUDGQowruQpseoLGbz41Ek7Tdms7Lld9j6/c= X-UI-Sender-Class: 01bb95c1-4bf8-414a-932a-4f6e2808ef9c Received: from ubuntu ([83.52.229.153]) by mail.gmx.net (mrgmx105 [212.227.17.174]) with ESMTPSA (Nemesis) id 1N4Qwg-1lwA162sXW-011Tar; Tue, 23 Feb 2021 19:20:58 +0100 Date: Tue, 23 Feb 2021 19:20:54 +0100 From: John Wood To: Randy Dunlap , Kees Cook , Jann Horn , Jonathan Corbet , James Morris , Shuah Khan Cc: John Wood , "Serge E. Hallyn" , Greg Kroah-Hartman , linux-doc@vger.kernel.org, linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org, linux-kselftest@vger.kernel.org Subject: Re: [PATCH v3 3/8] securtiy/brute: Detect a brute force attack Message-ID: <20210223182054.GB3068@ubuntu> References: <20210221154919.68050-1-john.wood@gmx.com> <20210221154919.68050-4-john.wood@gmx.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Provags-ID: V03:K1:HHPCxdrBHvji0o9LTCCMJdtyWfbj8bwS0V/XvyVAe4PUGRQrPFi klx54ZU4/Kz8iqglnyYer/wrmY6B2QFNcz3TwL3MDj8RvYaldC6XSITmO5dUCfIrdrMohTo q8QYCfWxasXAEaxuB7y2CmOvutmjLtvoutB4OsnMqkBvznmJ3nUxH9O1WTh0r/Xfbci76VB IJGnOEZOmOX102WUkuolA== X-Spam-Flag: NO X-UI-Out-Filterresults: notjunk:1;V03:K0:z5dm1mICMC0=:e0YCvR3+cDEyUvDDJkEqGc XPksfhcj1y8ui+NpkMjrwFGhmx4HdXtYLDypP8CJLb1ZOc4Bdnu6udfgRmBjX64c8O8ad/osG fEgpg8RFAf4woOA2xtMffDyeBMoURSSLARclBQMmkhFxa2Kg1pZje3uGnJkVW1IBKVPiM8wgd JhWWDvUvfA3ThI6EetU8e2gc3WYNs4+puN6544+RJsESWnzDxzPupqdEOEsU9BxFqvJCoA69+ zCJPNmW8lD0u+aPARsZ1rnZM7vQDztTy4QUDpNZu0eHMPIgc5WTaYyRwattiaR7gJzhQpZCAe G0y1jupIrMlWOgbiVuHYnO3xObLnNAglVUYLFOk/CwEACVMpzOFB+NNe4Xww51CNRhDZfONfz TAvv30M/p1UEzYIsFi0Rp2YFblKrzmEQ14DtOLuCF86NfnJFCVWEG3Imb3x5JkegnqEbTmG6R cmmqLiDcd5s8sxALXU1H2gvSRMZKUGFYyRxSSGuLBs+h7gkx24wpx2uRWludOfmJ0E/DMrdx1 jlaeB1Pjqv5pnlFVwQ8gVCu3lJ1rC24wxmGPbnm39azsjtTxAM2UsKXbBKrKMhD3PaBC3WUlt luE6+2hCXoZcrM07zqyJIxjgj4klpwhETczxys3cXhXdMXRFAOlnc6TKZfciIJJ/msAnNxldB B15BapT7mte9IT2E49dGmGA/7N5KJCFTaiIDB8S0PcwALpnOyvU+MuowahyPfCC+Sl+IG6syg nibnJkQRZ5xZQS0J+hIk7MXZ1iK4am/qmviGBwxctJJl1IkJrL9epVg1OHf2yi0o+eJl20iK/ KKNmrUQHOOBSW+gCv88i5h1WeSS2U8TVhkz2kv1UmB0iWct6p8DA8KTfdPV/tnWwphLRWW6Uu +GW/Zbu3UM/Ra/8q7TFQ== Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, On Sun, Feb 21, 2021 at 06:47:16PM -0800, Randy Dunlap wrote: > Hi-- > > scripts/kernel-doc does not like these items to be marked > as being in kernel-doc notation. scripts/kernel-doc does not > recognize them as one of: struct, union, enum, typedef, so it > defaults to trying to interpret these as functions, and then > says: > > (I copied these blocks to my test megatest.c source file.) > > > ../src/megatest.c:1214: warning: cannot understand function prototype: '= const u64 BRUTE_EMA_WEIGHT_NUMERATOR =3D 7; ' > ../src/megatest.c:1219: warning: cannot understand function prototype: '= const u64 BRUTE_EMA_WEIGHT_DENOMINATOR =3D 10; ' > ../src/megatest.c:1228: warning: cannot understand function prototype: '= const unsigned char BRUTE_MAX_FAULTS =3D 200; ' > ../src/megatest.c:1239: warning: cannot understand function prototype: '= const unsigned char BRUTE_MIN_FAULTS =3D 5; ' > ../src/megatest.c:1249: warning: cannot understand function prototype: '= const u64 BRUTE_CRASH_PERIOD_THRESHOLD =3D 30000; ' > > > On 2/21/21 7:49 AM, John Wood wrote: > > > > +/** > > + * brute_stats_ptr_lock - Lock to protect the brute_stats structure p= ointer. > > + */ > > +static DEFINE_RWLOCK(brute_stats_ptr_lock); > > > +/** > > + * BRUTE_EMA_WEIGHT_NUMERATOR - Weight's numerator of EMA. > > + */ > > +static const u64 BRUTE_EMA_WEIGHT_NUMERATOR =3D 7; > > > +/** > > + * BRUTE_EMA_WEIGHT_DENOMINATOR - Weight's denominator of EMA. > > + */ > > +static const u64 BRUTE_EMA_WEIGHT_DENOMINATOR =3D 10; > > > +/** > > + * BRUTE_MAX_FAULTS - Maximum number of faults. > > + * > > + * If a brute force attack is running slowly for a long time, the app= lication > > + * crash period's EMA is not suitable for the detection. This type of= attack > > + * must be detected using a maximum number of faults. > > + */ > > +static const unsigned char BRUTE_MAX_FAULTS =3D 200; > > > +/** > > + * BRUTE_MIN_FAULTS - Minimum number of faults. > > + * > > + * The application crash period's EMA cannot be used until a minimum = number of > > + * data has been applied to it. This constraint allows getting a tren= d when this > > + * moving average is used. Moreover, it avoids the scenario where an = application > > + * fails quickly from execve system call due to reasons unrelated to = a real > > + * attack. > > + */ > > +static const unsigned char BRUTE_MIN_FAULTS =3D 5; > > > +/** > > + * BRUTE_CRASH_PERIOD_THRESHOLD - Application crash period threshold. > > + * > > + * The units are expressed in milliseconds. > > + * > > + * A fast brute force attack is detected when the application crash p= eriod falls > > + * below this threshold. > > + */ > > +static const u64 BRUTE_CRASH_PERIOD_THRESHOLD =3D 30000; > > Basically we don't support scalars in kernel-doc notation... So, to keep it commented it would be better to use a normal comment block? /* * Documentation here */ What do you think? Thanks, John Wood > -- > ~Randy >